b'  Systems Evaluation of the Agencywide\nDocument Access and Management System\n\n\n   OIG-04-A-21   September 30, 2004\n\n\n\n  REDACTED FOR PUBLIC RELEASE\n\x0c                        OFFICE OF\n                 THE INSPECTOR GENERAL\n                       U.S. NUCLEAR\n                 REGULATORY COMMISSION\n\n\n                         System Evaluation of the\n                     Agencywide Documents Access and\n                           Management System\n\n                     OIG\xe2\x80\x9304-A-21      September 30, 2004\n\n\n\n\n                   EVALUATION REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                            September 30, 2004\n\n\n\n\nMEMORANDUM TO:               Luis A. Reyes\n                             Executive Director for Operations\n\n\n\nFROM:                        Stephen D. Dingbaum/RA/\n                             Assistant Inspector General for Audits\n\n\nSUBJECT:                     SYSTEM EVALUATION OF THE AGENCYWIDE\n                             DOCUMENTS ACCESS AND MANAGEMENT SYSTEM\n                             (ADAMS) (OIG-04-A-21)\n\nThis evaluation was conducted as part of the Office of the Inspector General\xe2\x80\x99s review of\nNRC\xe2\x80\x99s implementation of the Federal Information Security Management Act (FISMA) for\nFY 2004. Richard S. Carson & Associates, Inc., performed this independent system\nevaluation on behalf of OIG.\n\nBased on its review and evaluation of ADAMS\xe2\x80\x99 management, operational, and technical\ncontrols, Richard S. Carson & Associates, Inc., determined that ADAMS has the\nfollowing weaknesses:\n\n   \xc3\x98 Security documentation does not always follow required guidelines.\n   \xc3\x98 Security protection requirements are inconsistent within ADAMS\xe2\x80\x99 security\n     documentation.\n   \xc3\x98 NRC is not tracking all action items resulting from testing the security controls.\n\nThe weaknesses identified are not significant deficiencies or reportable conditions.\nDuring an exit conference on September 15, 2004, NRC officials provided comments\nconcerning the draft audit report and opted not to submit formal written comments to this\nreport.\n\nIf you have any questions or wish to discuss this report, please call me at 415-5915 or\nBeth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution List\n\nB. John Garrick, Chairman, Advisory Committee on Nuclear Waste\nMario V. Bonaca, Chairman, Advisory Committee on Reactor Safeguards\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nDennis K. Rathbun, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nPatricia G. Norry, Deputy Executive Director for Management Services, OEDO\nWilliam F. Kane, Deputy Executive Director for Homeland Protection\n  and Preparedness, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research\n  and State Programs, OEDO\nEllis W. Merschoff, Deputy Executive Director for Reactor Programs, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nJacqueline E. Silber, Chief Information Officer\nMichael L. Springer, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nPaul E. Bird, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\nOffice of Public Affairs, Region I\nOffice of Public Affairs, Region II\nOffice of Public Affairs, Region IV\n\x0c            \xe2\x80\x9cOffice of the Inspector General\n               System Evaluation of the\n Agencywide Documents Access and Management System\n                        (ADAMS)\xe2\x80\x9d\n\n\n\n\n                          Contract Number: GS-00F-0001N\n                        Delivery Order Number: DR-36-03-346\n\n                                              September 24, 2004\n\n\n\n\n\xe2\x80\x9cThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official U.S. Nuclear\n              Regulatory Commission position, policy, or decision, unless so designated by other official documentation.\xe2\x80\x9d\n\x0c[Page intentionally left blank]\n\x0c                                                                        System Evaluation of ADAMS\n\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      On December 17, 2002, the President signed the E-Government Act of 2002 (Public Law\n      107-347), which includes the Federal Information Security Management Act (FISMA) of\n      2002. FISMA outlines the information security management requirements for agencies,\n      which include an independent evaluation of an agency\xe2\x80\x99s information security program\n      and practices, and an evaluation of the effectiveness of information security control\n      techniques. FISMA also requires an assessment of compliance with requirements and\n      related information security policies, procedures, standards, and guidelines. As part of\n      the Fiscal Year 2004 FISMA independent evaluation of the U.S. Nuclear Regulatory\n      Commission\xe2\x80\x99s (NRC) information technology security program, Richard S. Carson\n      Associates, Inc. (Carson Associates) reviewed security controls for the Agencywide\n      Documents Access and Management System (ADAMS).\n\n      ADAMS is an electronic record keeping system that has been approved by the National\n      Archives and Records Administration. NRC processes hundreds of legal, administrative,\n      and regulatory documents each day. These documents are generated both internally and\n      externally in various formats and are made available, in whole or in part, to the\n      Government or the public, for reference and reuse. NRC developed ADAMS to replace\n      the paper-oriented environment that no longer supported its needs.\n\nPURPOSE\n\n      The system evaluation objectives were to review and evaluate the management,\n      operational, and technical controls for ADAMS.\n\nRESULTS IN BRIEF\n\n      Carson Associates reviewed ADAMS security documentation and found that ADAMS\n      security documentation is not always consistent with National Institute of Standards and\n      Technology (NIST) guidelines, the security protection requirements are inconsistent\n      within ADAMS security documentation, and findings and recommendations resulting\n      from testing are not consistently being tracked. None of these weaknesses are considered\n      to be significant deficiencies or reportable conditions as defined in Office of Management\n      and Budget guidance.\n\n      Security Documentation Is Not Always Consistent With NIST Guidelines\n\n      FISMA directs the Secretary of Commerce, on the basis of standards and guidelines\n      developed by NIST, to prescribe standards and guidelines pertaining to Federal\n      information systems. NIST has developed several guidelines and standards, including\n      those for conducting risk assessments, developing security plans, and contingency plans.\n      NRC Management Directive (MD) 12.5, NRC Automated Information Security Program,\n      which was revised in September 2003, states that NRC shall comply with NIST guidance\n\n\n                                               i\n\x0c                                                                   System Evaluation of ADAMS\n\n\n\nto include guidance related to the preparation of security documentation (such as system\nsecurity plans, risk assessments, and contingency plans), and other applicable NIST\nguidance for information technology security processes, procedures, and testing.\n\nThe previous version of MD 12.5 did not require compliance with NIST guidelines,\nhowever, Office of Management and Budget (OMB) Circular A-130, Management of\nFederal Information Resources, Appendix III, Security of Federal Automated\nInformation Resources, states that each agency\xe2\x80\x99s program shall implement policies,\nstandards and procedures which are consistent with government-wide policies, standards,\nand procedures issued by the Office of Management and Budget, the Department of\nCommerce, the General Services Administration and the Office of Personnel\nManagement. OMB periodically reminds agencies that agency security practices should\nbe consistent with NIST guidance. The FY 2004 FISMA guidance issued by OMB\nspecifically states that agencies must follow NIST standards and guidance. Use of NIST\nguidance is flexible, provided agency implementation is consistent with the principles\nand processes outlined within the NIST guidance.\n\nCarson Associates reviewed the ADAMS Risk Assessment, Security Plan, and Business\nContinuity Plan and found that while the documentation is up-to-date, it is not always\nconsistent with NIST guidelines.\n\nSecurity Protection Requirements Are Inconsistent Within Security\nDocumentation\n\nFISMA defines the term \xe2\x80\x9cinformation security\xe2\x80\x9d to mean protecting information and\ninformation systems from unauthorized access, use, disclosure, disruption, modification,\nor destruction in order to provide confidentiality, integrity, and availability.\nConfidentiality is preserving authorized restrictions on information access and disclosure,\nincluding means for protecting personal privacy and proprietary information. Integrity is\nguarding against improper information modification or destruction, and includes ensuring\ninformation non-repudiation and authenticity. Availability is ensuring timely and reliable\naccess to and use of information. Confidentiality, integrity and availability are often\nreferred to as security protection requirements or security objectives for a system. The\nsecurity protection requirements defined in the ADAMS Security Plan and in the FY\n2003 and FY 2004 ADAMS self-assessments are inconsistent.\n\nFindings and Recommendations Resulting From Testing Are Not Consistently\nBeing Tracked\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program\nfound that not all corrective actions resulting from security reviews and testing were\nbeing tracked and that the agency\xe2\x80\x99s corrective action process needed improvement. The\nOffice of the Inspector General (OIG) recommended that the agency identify all\nweaknesses and recommendations from security documentation and any other security\nreviews, and determine in which tool the recommendations will be tracked. In November\n2003, the Office of the Chief Information Officer (OCIO) issued a memo describing the\nagency\xe2\x80\x99s information technology security action item tracking process, strategy, and\n\n\n                                         ii\n\x0c                                                                     System Evaluation of ADAMS\n\n\n\n     tools. Carson Associates found that findings and recommendations resulting from testing\n     of ADAMS security controls and from ADAMS contingency plan testing are not\n     consistently being tracked.\n\nRECOMMENDATIONS\n\n     This report makes six recommendations to the Executive Director for Operations to\n     strengthen management, operational, and technical controls for ADAMS. A consolidated\n     list of recommendations appears on page 13 of this report.\n\nAGENCY COMMENTS\n\n     On September 15, 2004, the Executive Director for Operations provided comments\n     concerning the draft system evaluation report. We modified the report as we determined\n     appropriate in response to these comments.\n\n\n\n\n                                            iii\n\x0c                                  System Evaluation of ADAMS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                               System Evaluation of ADAMS\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nADAMS    Agencywide Documents Access and Management System\nBCP      Business Continuity Plan\nFIPS     Federal Information Processing Standards\nFISMA    Federal Information Security Management Act\nFY       Fiscal Year\nGISRA    Government Information Security Reform Act\nITSSTS   Information Technology Systems Security Tracking System\nMD       Management Directive\nNIST     National Institute of Standards and Technology\nNRC      U.S. Nuclear Regulatory Commission\nOCIO     Office of the Chief Information Officer\nOIG      Office of the Inspector General\nOMB      Office of Management and Budget\nPOA&M    Plan of Action and Milestones\nSP       Special Publication\n\n\n\n\n                                       v\n\x0c                                  System Evaluation of ADAMS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                                            System Evaluation of ADAMS\n\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose..................................................................................................................... 2\n\n3 Findings .................................................................................................................... 2\n    3.1     Security Documentation Is Not Always Consistent With NIST Guidelines....................2\n    3.2     Security Protection Requirements Are Inconsistent Within Security Documentation.....9\n    3.3     Findings and Recommendations Resulting From Testing Are Not Consistently Being\n            Tracked...........................................................................................................................10\n4 Consolidated List of Recommendations.............................................................. 13\n\n5 OIG Response to Agency Comments................................................................... 14\n\n\nAppendices\n\n    Appendix A: Scope and Methodology ..................................................................................15\n\n\n\n\n                                                                     vii\n\x0c                                  System Evaluation of ADAMS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              viii\n\x0c                                                                                           System Evaluation of ADAMS\n\n\n\n1        Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002 (Public Law 107-\n347), which includes the Federal Information Security Management Act (FISMA) of 20021.\nFISMA outlines the information security management requirements for agencies, which include\nan independent evaluation of an agency\xe2\x80\x99s information security program and practices, and an\nevaluation of the effectiveness of information security control techniques. FISMA also requires\nan assessment of compliance with requirements and related information security policies,\nprocedures, standards, and guidelines. As part of the Fiscal Year 2004 FISMA independent\nevaluation of the U.S. Nuclear Regulatory Commission\xe2\x80\x99s (NRC) information technology security\nprogram, Richard S. Carson Associates, Inc. (Carson Associates) reviewed security controls for\nthe Agencywide Documents Access and Management System (ADAMS).\n\nAgencywide Documents Access and Management System\n\nADAMS is an electronic record keeping system that has been approved by the National Archives\nand Records Administration. NRC processes hundreds of legal, administrative, and regulatory\ndocuments each day. These documents are generated both internally and externally in various\nformats and are made available, in whole or in part, to the Government or the public, for\nreference and reuse. NRC developed ADAMS to replace the paper-oriented environment that no\nlonger supported its needs. ADAMS provides the basis for modernizing the legacy document\nreference searching and microfiche retrieval system, for automating manual document handling\nprocesses, and for consolidating various office based systems into one central system for\ndocument capture, storage, control, and dissemination. ADAMS provides the capability for staff\nto collaborate on and track the progress of documents in preparation, store all documents\nelectronically in one location, capture documents as they are created, and allow staff to search\nthe electronic document collection and the index of the existing historical collection at their\nworkstations.\n\nThe NRC Office of the Chief Information Officer (OCIO) is the ADAMS system owner. The\nsystem is categorized as a Major Application2 and is in the operational3 phase of its life cycle.\n\nSystem Evaluation Process\n\nADAMS was evaluated by reviewing system documentation maintained by OCIO. As\nrecommended by the Office of Management and Budget (OMB), Carson Associates reviewed\nthe following documents for adherence to standards and consistency with guidelines issued by\nthe National Institute of Standards and Technology (NIST).\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\nGovernment Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\nwhich expired in November 2002.\n2\n  An application that requires special attention to security due to the risk and magnitude of harm resulting from the\nloss, misuse, or unauthorized access to or modification of the information in the application.\n3\n  A system\xe2\x80\x99s life cycle typically comprises five phases: initiation, development/acquisition, implementation,\noperation/maintenance, and disposal. In the operation/maintenance phase, systems are in place and operating,\nenhancements and/or modifications to the system are developed and tested, and hardware and/or software is added\nor replaced.\n\n\n                                                           1\n\x0c                                                                                     System Evaluation of ADAMS\n\n\n\n\n      \xe2\x80\xa2   ADAMS Risk Assessment, March 2002\n      \xe2\x80\xa2   ADAMS Security Plan, June 2002\n      \xe2\x80\xa2   ADAMS Business Continuity Plan, June 2002 and a revised draft from May 2004\n      \xe2\x80\xa2   ADAMS Security Test and Evaluation Plan and Report, June 2002\n      \xe2\x80\xa2   Certification and Accreditation Statement, July 2002\n      \xe2\x80\xa2   Mitigation Plan, July 2002\n      \xe2\x80\xa2   Privacy Impact Assessment\n      \xe2\x80\xa2   FY 2003 and draft FY 2004 ADAMS Self-Assessment\n\nThe documents were reviewed to determine whether they are consistent with NIST guidance and\nwhether they describe the management4, operational5, and technical6 controls in place for\nADAMS.\n\n2         Purpose\n\nThe system evaluation objectives were to review and evaluate the management, operational, and\ntechnical controls for ADAMS.\n\n3         Findings\n\nCarson Associates reviewed ADAMS security documentation and found that:\n\n      \xe2\x80\xa2   ADAMS security documentation is not always consistent National Institute of Standards\n          and Technology guidelines.\n      \xe2\x80\xa2   Security protection requirements are inconsistent within ADAMS security\n          documentation.\n      \xe2\x80\xa2   Findings and recommendations resulting from testing are not consistently being tracked.\n\nNone of these weaknesses are considered to be significant deficiencies or reportable conditions\nas defined in Office of Management and Budget guidance.\n\n3.1       Security Documentation Is Not Always Consistent With NIST Guidelines\n\nFISMA directs the Secretary of Commerce, on the basis of standards and guidelines developed\nby NIST, to prescribe standards and guidelines pertaining to Federal information systems. NIST\nhas developed several guidelines and standards, including those for conducting risk assessments,\ndeveloping security plans, and contingency plans. NRC Management Directive (MD) 12.5, NRC\n\n4\n  The security controls (i.e., safeguards or countermeasures) for an information system that focus on the\nmanagement of risk and the management of information system security.\n5\n  The security controls (i.e., safeguards or countermeasures) for an information system that primarily are\nimplemented and executed by people (as opposed to systems).\n6\n  The security controls (i.e., safeguards or countermeasures) for an information system that are primarily\nimplemented and executed by the information system through mechanisms contained in the hardware, software, or\nfirmware components of the system.\n\n\n                                                       2\n\x0c                                                                                           System Evaluation of ADAMS\n\n\n\nAutomated Information Security Program, which was revised in September 2003, states that\nNRC shall comply with NIST guidance to include guidance related to the preparation of security\ndocumentation (such as system security plans, risk assessments, and contingency plans), and\nother applicable NIST guidance for information technology security processes, procedures, and\ntesting.\n\nThe previous version of MD 12.5 did not require compliance with NIST guidelines, however,\nOMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of\nFederal Automated Information Resources, states that each agency\xe2\x80\x99s program shall implement\npolicies, standards and procedures which are consistent with government-wide policies,\nstandards, and procedures issued by the Office of Management and Budget, the Department of\nCommerce7, the General Services Administration and the Office of Personnel Management.\nOMB periodically reminds agencies that agency security practices should be consistent with\nNIST guidance. The FY 2004 FISMA guidance issued by OMB8 specifically states that agencies\nmust follow NIST standards and guidance. Use of NIST guidance is flexible, provided agency\nimplementation is consistent with the principles and processes outlined within the NIST\nguidance.\n\nCarson Associates reviewed the ADAMS Risk Assessment, Security Plan, and Business\nContinuity Plan and found that while the documentation is up-to-date, it is not always consistent\nwith NIST guidelines.\n\nADAMS Risk Assessment Report Is Not Consistent With NIST Guidelines\n\nThe Final ADAMS Risk Assessment Report, dated March 25, 2002, states that the methodology\nused to conduct the risk assessment was \xe2\x80\x9cbased on guidance provided in NIST Special\nPublication (SP) 800-30, Risk Management Guide.\xe2\x80\x9d9 However, the Risk Assessment Report is\nnot consistent with the referenced NIST document. Specifically, the Risk Assessment Report (1)\ndoes not describe the threat-sources and vulnerabilities identified for ADAMS, and (2) does not\ndescribe how risk levels were determined.\n\nNIST SP 800-30 describes risk as \xe2\x80\x9ca function of the likelihood of a given threat-source\xe2\x80\x99s10\nexercising a particular potential vulnerability,11 and the resulting impact of that adverse event on\nthe organization.\xe2\x80\x9d The risk assessment methodology described in NIST SP 800-30 encompasses\nnine primary steps. Step 2 is threat identification, and Step 3 is vulnerability identification. The\noutput from Step 2 is a threat statement containing a list of threat-sources that could exploit\n\n7\n  NIST is part of the Technology Administration within the Department of Commerce.\n8\n  OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\nAct, dated August 23, 2004.\n9\n  While the cover of NIST SP 800-30 indicates it was published in July 2002, the document was first published in its\ncurrent form in January 2002.\n10\n   A threat-source is either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a\nsituation and method that may accidentally trigger a vulnerability.\n11\n   The potential for a particular threat-source exercise (accidentally trigger or intentionally exploit) a particular\nvulnerability is also known as a threat. A vulnerability is a flaw or weakness in system security procedures, design,\nimplementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and\nresult in a security breach or a violation of the system\xe2\x80\x99s security policy.\n\n\n                                                           3\n\x0c                                                                            System Evaluation of ADAMS\n\n\n\nsystem vulnerabilities. The output from Step 3 is a list of the system vulnerabilities that could be\nexercised by the potential threat-sources. Each threat-source/vulnerability pair identifies a\npotential threat to the system.\n\nThe ADAMS Risk Assessment Report presents a table summarizing the findings and\nrecommendations. The second column of the table is labeled \xe2\x80\x9cRisk\xe2\x80\x9d, when in fact; the data in\nthis column represent threats. The ADAMS Risk Assessment Report does not include a list of\npotential threat-sources that could exploit system vulnerabilities, does not include a list of\npotential vulnerabilities applicable to the system, and does not discuss the threat-\nsource/vulnerability pairs that identified the threats listed in the summary table.\n\nNIST SP 800-30 describes Steps 5 and 6 of the risk assessment methodology as likelihood\ndetermination and impact analysis. Step 7 is risk determination, which is a function of the\nlikelihood of a given threat-source\xe2\x80\x99s attempting to exercise a given vulnerability (i.e., the\nlikelihood of the threat), the magnitude of the impact should a threat-source successfully exercise\nthe vulnerability (i.e., the impact of the threat), and the adequacy of planned or existing security\ncontrols for reducing or eliminating risk. To measure risk, a risk scale and risk-level matrix must\nbe developed.\n\nIn the ADAMS Risk Assessment Report, the fourth column of the table summarizing the\nfindings and recommendations is labeled \xe2\x80\x9cLevel of Risk\xe2\x80\x9d and contains values of either \xe2\x80\x9cHigh,\xe2\x80\x9d\n\xe2\x80\x9cMedium,\xe2\x80\x9d or \xe2\x80\x9cLow.\xe2\x80\x9d However, the ADAMS Risk Assessment Report does not identify or\ndescribe how these risk levels were determined. According to the risk-level matrix presented in\nNIST SP 800-30, a threat identified as having a \xe2\x80\x9cMedium\xe2\x80\x9d risk level could mean either:\n\n   \xe2\x80\xa2   The threat has a high likelihood and a medium impact\n   \xe2\x80\xa2   The threat has a medium likelihood and a medium impact\n   \xe2\x80\xa2   The threat has a medium likelihood and high impact\n\nThe ADAMS Risk Assessment Report identifies several threats with a \xe2\x80\x9cMedium\xe2\x80\x9d risk level, but\ndoes not describe whether these were threats with high impact or a high likelihood. The controls\nrecommended to mitigate the risk could vary greatly depending on which factor (likelihood or\nimpact) contributed the most to the risk level. Understanding likelihood and impact is also\nimportant in prioritizing the implementation of recommended corrective actions. If the agency\nmust choose between which medium risk to mitigate first, the agency might want to address the\nrisk with the high impact first.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Update the ADAMS Risk Assessment Report to be consistent with National Institute of\n      Standards and Technology Special Publication 800-30, Risk Management Guide.\n\n\n\n\n                                                 4\n\x0c                                                                           System Evaluation of ADAMS\n\n\n\nADAMS Security Plan Does Not Describe All Security Controls Identified As In-Place\n\nOMB A-130 states that security plans shall be consistent with guidance issued by NIST. NIST\nSP 800-18, Guide for Developing Security Plans for Information Technology Systems, states that\nthe purpose of a security plan is to provide an overview of the security requirements of the\nsystem and describe controls in place or planned for meeting those requirements. NIST SP 800-\n18 also states that the security plan should fully identify and describe the controls currently in\nplace, or planned for the system. However, Carson Associates found several areas in the Final\nSystem Security Plan for ADAMS, dated June 7, 2002, where controls were not described.\n\nIn order to identify what controls are currently in place for ADAMS, Carson Associates\nreviewed and analyzed two other documents in conjunction with the ADAMS Security Plan \xe2\x80\x93 the\nADAMS self-assessment, and results from security test and evaluation of ADAMS controls\nconducted during the certification and accreditation of ADAMS.\n\nFISMA requires agencies to test the management, operational, and technical controls of every\ninformation system identified in their inventory no less than annually. OMB has instructed\nagencies to use NIST SP 800-26, Self-Assessment Guide for Information Technology Systems, to\nconduct the annual reviews. NIST SP 800-26 is based on the Chief Information Officer\nCouncil\xe2\x80\x99s \xe2\x80\x9cFederal Information Technology Security Assessment Framework\xe2\x80\x9d (the Framework).\nThe Framework comprises five levels to guide agency assessments of their security programs\nand assist in prioritizing efforts for improvement. Level 1 reflects that an asset has documented\nsecurity policy. At Level 2, the asset also has documented procedures and controls to implement\nthe policy. For Level 3, procedures and controls have been implemented to protect the asset.\nLevel 4 indicates that procedures and controls are tested and reviewed. Finally, at Level 5, the\nasset has procedures and controls fully integrated into a comprehensive program.\n\nCarson Associates reviewed the FY 2003 ADAMS self-assessment in order to identify controls\nin place for ADAMS. Any controls marked at least at a Level 3 in the ADAMS self-assessment\nare considered to be in place based on the above definitions. The FY 2003 self-assessment was\nreviewed as the agency had only provided a draft of the FY 2004 self-assessment when the\nfieldwork was conducted.\n\nCarson Associates also reviewed the results of the security test and evaluation of ADAMS\ncontrols conducted during the certification and accreditation of ADAMS. Security certification\nis a comprehensive assessment of the management, operational, and technical security controls in\nan information system, made in support of security accreditation, to determine the extent to\nwhich the controls are implemented correctly, operating as intended, and producing the desired\noutcome with respect to meeting the security requirements for the system. Appendix D of the\nADAMS Security Test and Evaluation Plan and Report, dated June 14, 2002, includes test\nprocedure worksheets used to record the results of the testing. The test objectives on the test\nprocedure worksheets correspond to the control objectives in the NIST SP 800-26 self-\nassessment. Each test objective is marked as either pass, fail, or not applicable. A test objective\nmarked as pass represents a security control that is in place.\n\nAs a result of the review of the ADAMS Security Plan, self-assessment, and security test and\nevaluation results, Carson Associates identified several cases where either the self-assessment\n\n\n                                                 5\n\x0c                                                                            System Evaluation of ADAMS\n\n\n\nand/or the test procedure worksheet indicated a control was in place, but it was not described in\nthe Security Plan. The following are some examples:\n\n   \xe2\x80\xa2   The ADAMS Security Plan does not describe the process for requesting, establishing,\n       issuing, and closing user accounts. However, this control is marked as \xe2\x80\x9cpass\xe2\x80\x9d on the test\n       procedure worksheets, and is marked as a Level 5 in the ADAMS self-assessment.\n   \xe2\x80\xa2   The ADAMS Security Plan does not describe the processes for ensuring that only\n       authorized users pick up, receive, or deliver input and output information and media.\n       This control is also marked as \xe2\x80\x9cpass\xe2\x80\x9d on the test procedure worksheets, and is marked as\n       a Level 5 in the ADAMS self-assessment.\n   \xe2\x80\xa2   The ADAMS Security Plan does not describe how lists of authorized users and their\n       access are maintained and approved, if digital signatures are used, and whether access\n       scripts with embedded passwords are prohibited. However, each of these controls is\n       marked as a Level 5 in the ADAMS self-assessment, and is marked as \xe2\x80\x9cpass\xe2\x80\x9d on the test\n       procedure worksheets.\n\nCarson Associates also identified several instances where the information in the ADAMS\nSecurity Plan, self-assessment and test procedure worksheets is inconsistent. The following are\nsome examples:\n\n   \xe2\x80\xa2   The hardware and software maintenance controls related to reviewing a system to\n       identify, and when possible, eliminate unnecessary services, and to periodically\n       reviewing a system for known vulnerabilities and promptly installing software patches\n       are marked as \xe2\x80\x9cfail\xe2\x80\x9d on the test procedure worksheets, but are marked as a Level 5 in the\n       ADAMS self-assessment. These controls are not described in the ADAMS Security Plan.\n   \xe2\x80\xa2   OFFICIAL USE ONLY PARAGRAPH REDACTED\n\n\n\n\n   \xe2\x80\xa2   The test control worksheets indicate that penetration testing is performed on the system.\n       The ADAMS self-assessment indicates that extensive penetration testing is performed on\n       the NRC local area network/wide area network that includes ADAMS at least every two\n       years. The penetration testing is performed by OCIO. However, penetration testing is\n       not described in the ADAMS Security Plan.\n   \xe2\x80\xa2   Of the nine controls related to audit trails, seven are marked as \xe2\x80\x9cfail\xe2\x80\x9d, one as \xe2\x80\x9cpass,\xe2\x80\x9d and\n       one as \xe2\x80\x9cnot applicable\xe2\x80\x9d on the test procedure worksheets. The test procedure worksheets\n       include a notation that ADAMS does not have the capability to audit user actions.\n       However, all but two of the controls related to audit trails are marked as a Level 5 on the\n       ADAMS self-assessment.\n\n\n\n                                                 6\n\x0c                                                                             System Evaluation of ADAMS\n\n\n\nFinally, procedures for ensuring that users who no longer require access to ADAMS are removed\nfrom the system are described in the logical access controls section of the ADAMS Security\nPlan, which is contrary to guidance from NIST SP 800-18 and NIST 800-26. This control is\nfound in the identification and authentication section of both NIST documents.\n\nAccording to the agency, the ADAMS Security Plan is being updated in September 2004.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   2. Update the ADAMS Security Plan to describe all controls currently in place. In-place\n      controls are those marked at least at Level 3 in the self-assessment, and that were\n      documented as passed in the last Security Test and Evaluation Plan and Report, or in any\n      test and evaluation on controls added since publication of that report.\n\n   3. Update the ADAMS self-assessment to reflect controls in place. In-place controls are\n      those that were documented as passed in the last Security Test and Evaluation Plan and\n      Report, or in any test and evaluation on controls added since publication of that report.\n\nADAMS Business Continuity Plan Is Not Consistent With NIST Guidelines\n\nCarson Associates reviewed the ADAMS Business Continuity Plan (BCP), dated June 14, 2002,\nand a draft revised version dated May 20, 2004. Guidance on developing contingency plans can\nbe found in NIST SP 800-34, Contingency Planning Guide for Information Technology Systems,\nwhich was published in June 2002. As recommended by OMB, Carson Associates reviewed the\nADAMS BCP for consistency with NIST guidelines and found that in some instances, the\nADAMS BCP is not consistent with NIST guidelines.\n\nAccording to the agency, NRC requires annual updates of all BCPs, however NRC only requires\nconformance with current NIST guidance at the time of re-accreditation. This policy is not\ndocumented in any agency management directive or in any documentation reviewed by Carson\nAssociates. Carson Associates was informed of this policy during the exit conference held to\ndiscuss the findings of the ADAMS system evaluation.\n\nSubsequent to the exit conference, Carson Associates reviewed previous NIST guidance on the\npreparation of contingency plans, Federal Information Processing Standards (FIPS) Publication\n87, Guidelines for ADP Contingency Planning, and found that the ADAMS BCP (both the 2002\nand 2004 versions) is also not consistent with the FIPS 87 guidance. As stated earlier in this\nreport, while the version of MD 12.5 that was in effect at the time the ADAMS BCP was first\npublished did not require compliance with NIST guidelines, OMB requires agencies to follow\nNIST standards and guidance.\n\nNIST SP 800-34 describes notification procedures and states that they should be documented in\nthe plan for both events that occur with and without prior notice. For example, advanced notice\nis often given that a hurricane will affect an area or that a computer virus is expected on a certain\ndate. However, there may be no notice of equipment failure or a criminal act. The procedures\n\n\n                                                  7\n\x0c                                                                          System Evaluation of ADAMS\n\n\n\nshould describe the methods used to notify recovery personnel during business and non-business\nhours. Prompt notification is important for reducing the effects on the system; in some cases, it\nmay provide enough time to allow system personnel to shut down the system gracefully to avoid\na hard crash.\n\nNIST SP 800-34 also states that personnel to be notified in the event of a disaster should be\nclearly identified in the contact list appended to the plan. The list should identify personnel by\ntheir team position, name, and contact information (e.g., home number, work number, pager\nnumber, email address, and home address). FIPS 87 also stresses the importance of including the\nname, address, and phone numbers of all people who may be required in any backup or recovery\nscenario in the BCP.\n\nHowever, some of the personnel contact information in the ADAMS BCP is not up to date and\ndoes not include notification procedures or contact information for notifying personnel during\nnon-business hours. In some cases, the ADAMS BCP does not include personnel contact\ninformation for team leaders, alternate team leaders, or team members. For example, the BCP\ndoes not identify contact information for the team leader or alternate team leader for the Damage\nAssessment/Salvage Team, or contact information for the Disaster Recovery Coordinator and\nalternate during non-business hours. Not having up-to-date contact information to reach the\ndesignated teams during both business and non-business hours may cause delays in the disaster\nrecovery process.\n\nNIST SP 800-34 defines the reconstitution phase as when recovery activities are terminated and\nnormal operations are transferred back to the organization\xe2\x80\x99s facility. The reconstitution phase\nshould specify teams responsible for restoring or replacing both the site and the system. The\nADAMS BCP does not include procedures for restoring system operations that include\nprocedures for cleaning the alternate site of any equipment or other materials belonging to the\norganization, with a focus on handling sensitive information. While FIPS 87 does not discuss\nspecific procedures to be followed for cleaning the alternate site of any equipment or other\nmaterials belonging to the organization, these procedures are necessary to ensure that no\nsensitive materials remain at the alternate site.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   4. Update the ADAMS Business Continuity Plan to include the following changes:\n\n       \xe2\x80\xa2   Describe the methods used to notify recovery personnel during business and non-\n           business hours for all scenarios.\n       \xe2\x80\xa2   Incorporate all teams roles and responsibilities and relevant points of contact\n           information for team leaders, alternate team leaders, and team members for all\n           scenarios.\n       \xe2\x80\xa2   Include procedures for restoring system operations, with a focus on how to clean the\n           alternate site of any equipment or other materials belonging to the organization.\n\n\n\n                                                8\n\x0c                                                                                          System Evaluation of ADAMS\n\n\n\n\n3.2       Security Protection Requirements Are Inconsistent Within Security\n          Documentation\n\nFISMA defines the term \xe2\x80\x9cinformation security\xe2\x80\x9d to mean protecting information and information\nsystems from unauthorized access, use, disclosure, disruption, modification, or destruction in\norder to provide confidentiality, integrity, and availability. Confidentiality is preserving\nauthorized restrictions on information access and disclosure, including means for protecting\npersonal privacy and proprietary information. Integrity is guarding against improper information\nmodification or destruction, and includes ensuring information non-repudiation and authenticity.\nAvailability is ensuring timely and reliable access to and use of information. Confidentiality,\nintegrity and availability are often referred to as security protection requirements or security\nobjectives for a system.\n\nFIPS Publication 199, Standards for Security Categorization of Federal Information and\nInformation Systems, requires all Federal agencies to categorize their systems by assigning\npotential impact levels to the three security objectives. The potential impact is low if the loss of\nconfidentiality, integrity, or availability could be expected to have a limited adverse effect on\norganizational operations, organizational assets, or individuals.12 The potential impact is\nmoderate (medium) if the loss of confidentiality, integrity, or availability could be expected to\nhave a serious adverse effect on organizational operations, organizational assets, or individuals.\nThe potential impact is high if the loss of confidentiality, integrity, or availability could be\nexpected to have a severe or catastrophic adverse effect on organizational operations,\norganizational assets, or individuals.\n\nThe ADAMS Security Plan and the FY 2003 ADAMS self-assessment define protection\nrequirements for ADAMS as follows:\n\n      \xe2\x80\xa2   Confidentiality \xe2\x80\x93 High\n      \xe2\x80\xa2   Integrity \xe2\x80\x93 High\n      \xe2\x80\xa2   Availability \xe2\x80\x93 Medium\n\nHowever, the FY 2004 ADAMS draft self-assessment defines protection requirements for\nADAMS as follows:\n\n      \xe2\x80\xa2   Confidentiality \xe2\x80\x93 High\n      \xe2\x80\xa2   Integrity \xe2\x80\x93 High\n      \xe2\x80\xa2   Availability \xe2\x80\x93 High\n\nThe protection requirements should be consistent across the security documentation for a\nsystem. A change in protection requirements could indicate a need to re-evaluate the risks to\nthe systems, especially if the change is from a lower rating to a higher one. If the protection\n\n\n12\n  Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are\nentitled under law.\n\n\n                                                           9\n\x0c                                                                           System Evaluation of ADAMS\n\n\n\nrequirements have changed since the ADAMS Security Plan was finalized, then an\nexplanation for the change should be noted on the ADAMS self-assessment.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      5. Update the ADAMS Security Plan and/or ADAMS self-assessment to consistently define\n         the protection requirements (confidentiality, integrity, availability).\n\n3.3      Findings and Recommendations Resulting From Testing Are Not\n         Consistently Being Tracked\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program found that\nthe agency\xe2\x80\x99s corrective action process needed improvement. NRC has two primary tools for\ntracking the progress of corrective actions related to correcting weaknesses identified during the\nannual agency security review, the OIG independent evaluation, various security documents, and\nother security studies conducted by or on behalf of the agency. At a high level, NRC uses the\nplan of action and milestones (POA&M) submitted to OMB to track corrective actions from the\nOIG annual independent evaluation, and the agency\xe2\x80\x99s annual review. At a more detailed, level,\nNRC uses the NRC Information Technology Systems Security Tracking System (ITSSTS) to\ntrack the progress of internal corrective actions (i.e., those not reported to OMB). ITSSTS is\nused to track more specific corrective actions, such as those resulting from risk assessments;\nsecurity test and evaluation associated with the certification and accreditation process; and\ncontingency plan testing.\n\nThe FY 2003 FISMA independent evaluation of NRC\xe2\x80\x99s information security program also found\nthat not all corrective actions resulting from security reviews and testing were being tracked.\nThe OIG recommended that the agency identify all weaknesses and recommendations from\nsecurity documentation and any other security reviews, and determine in which tool the\nrecommendations will be tracked. In November 2003, OCIO issued a memo describing the\nagency\xe2\x80\x99s information technology security action item tracking process, strategy, and tools. The\nmemo describes the types of activities that might identify security weaknesses in NRC\ninformation technology systems and describes the two tools used by NRC for tracking the\nprocess of security corrective actions \xe2\x80\x93 the FISMA POA&M and the ITSSTS. Carson\nAssociates found that findings and recommendations resulting from testing of ADAMS security\ncontrols and from ADAMS contingency plan testing are not consistently being tracked.\n\nFindings Resulting from the ADAMS Certification and Accreditation Are Not Consistently\nBeing Tracked\n\nThe ADAMS Risk Assessment identified thirteen risks, and the Security Test and Evaluation\nPlan and Report identified eight risks. A Mitigation Plan submitted with the ADAMS\ncertification and accreditation package in July 2002 combined the risks identified during the risk\nassessment and security test and evaluation into one list. Carson Associates could not account\nfor four of the risks in the ADAMS Mitigation Plan in the current instance of ITSSTS. These\nrisks were 1) ADAMS servers contain a multitude of questionable open ports and services, 2) the\n\n\n                                                10\n\x0c                                                                                          System Evaluation of ADAMS\n\n\n\ndraft contingency plan is outdated and has never been implemented, tested, or approved by\nmanagement, and no hot site13 was identified, 3) incident response procedures have not been\ndocumented, and 4) ADAMS servers do not have anti-virus software installed.\n\nAccording to the agency, these four risks were tracked and completed in 2002. At the exit\nconference held to discuss the findings of the ADAMS system evaluation, the agency provided\ndocumentation supporting their statement that the risks were tracked and completed in 2002\n(output from a previous instance of the ITSSTS), but only for three of the four risks listed above.\nThe agency could not determine why the three risks were not in the current instance of the\nITSSTS and could not explain why the fourth risk could not be found in any instance of the\nITSSTS.\n\nCorrective Actions Resulting from the ADAMS BCP Testing Are Not Being Tracked\n\nCarson Associates reviewed an OCIO memorandum dated March 15, 2004, regarding the\nsuccessful completion of the ADAMS main library disaster recovery test. The memo states that\non November 20, 2003, the ADAMS main library disaster recovery process was successfully\ntested and included restoration at the ADAMS off-site recovery facility. The testing resulted in\nfive action items, however none of them are being tracked in the ITSSTS or in the agency\xe2\x80\x99s\nPOA&M submitted to OMB.\n\nRECOMMENDATION\n\n     The Office of the Inspector General recommends that the Executive Director for Operations:\n\n     6. Track all actions items resulting from testing of the ADAMS security controls and\n        contingency plan in either the agency\xe2\x80\x99s internal tracking system or in the agency\xe2\x80\x99s plan of\n        action and milestones submitted to OMB.\n\n\n\n\n13\n  A hot site is a fully operational off-site data processing facility equipped with hardware and system software to be\nused in the event of a disaster.\n\n\n                                                          11\n\x0c                                  System Evaluation of ADAMS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              12\n\x0c                                                                           System Evaluation of ADAMS\n\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Update the ADAMS Risk Assessment Report to be consistent with National Institute of\n       Standards and Technology Special Publication 800-30, Risk Management Guide.\n\n    2. Update the ADAMS Security Plan to describe all controls currently in place. In-place\n       controls are those marked at least at Level 3 in the self-assessment, and that were\n       documented as passed in the last Security Test and Evaluation Plan and Report, or in any\n       test and evaluation on controls added since publication of that report.\n\n    3. Update the ADAMS self-assessment to reflect controls in place. In-place controls are\n       those that were documented as passed in the last Security Test and Evaluation Plan and\n       Report, or in any test and evaluation on controls added since publication of that report.\n\n    4. Update the ADAMS Business Continuity Plan to include the following changes:\n\n       \xe2\x80\xa2   Describe the methods used to notify recovery personnel during business and non-\n           business hours for all scenarios.\n       \xe2\x80\xa2   Incorporate all teams roles and responsibilities and relevant points of contact\n           information for team leaders, alternate team leaders, and team members for all\n           scenarios.\n       \xe2\x80\xa2   Include procedures for restoring system operations, with a focus on how to clean the\n           alternate site of any equipment or other materials belonging to the organization.\n\n    5. Update the ADAMS Security Plan and/or ADAMS self-assessment to consistently define\n       the protection requirements (confidentiality, integrity, availability).\n\n    6. Track all actions items resulting from testing of the ADAMS security controls and\n       contingency plan in either the agency\xe2\x80\x99s internal tracking system or in the agency\xe2\x80\x99s plan of\n       action and milestones submitted to OMB.\n\n\n\n\n                                                13\n\x0c                                                                      System Evaluation of ADAMS\n\n\n\n5      OIG Response to Agency Comments\n\nOn September 15, 2004, the Executive Director for Operations provided comments concerning\nthe draft system evaluation report. We modified the report as we determined appropriate in\nresponse to these comments.\n\n\n\n\n                                             14\n\x0c                                                                                       Appendix A\n                                                                       System Evaluation of ADAMS\n\n\nSCOPE AND METHODOLOGY\n\nTo perform the ADAMS system evaluation, Carson Associates reviewed the system\xe2\x80\x99s security\ndocumentation, including the Security Plan, Risk Assessment, self-assessment, Business\nContinuity Plan, System Test and Evaluation Plan and Report, Certification and Accreditation\ndocumentation, and the completion of weaknesses addressed, if any, within the FY 2003 plan of\naction and milestones. Comprehensive document checklists were used in the evaluation process.\n\nThe work was conducted from June 2004 to August 2004 in accordance with guidelines from the\nNational Institute of Standards and Technology, and best practices for evaluating security\ncontrols. Diane Reilly and Jane Laroussi from Carson Associates conducted the work.\n\n\n\n\n                                             15\n\x0c                                                  Appendix A\n                                  System Evaluation of ADAMS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              16\n\x0c'